Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
Size

381KB
Sample

230129-mk5v6ach5w
MD5

0957d5d8d21751f2fd1ad2015b19abe0
SHA1

c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256

aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512

a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
SSDEEP

6144:3rK18vkksg2P4vWigPJJJPJJJGJJA/+aU4Kau:3rMlM2QvgPJJJPJJJGJJpF

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Targets

- Target
  
  aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
- Size
  
  381KB
- MD5
  
  0957d5d8d21751f2fd1ad2015b19abe0
- SHA1
  
  c098ddc18a8a0dade35436f968eb43c1f4c9253c
- SHA256
  
  aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
- SHA512
  
  a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
- SSDEEP
  
  6144:3rK18vkksg2P4vWigPJJJPJJJGJJA/+aU4Kau:3rMlM2QvgPJJJPJJJGJJpF
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Bypass User Account Control

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerspywarestealertrojanworm